From patchwork Wed Jan 10 01:26:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kevin Loughlin X-Patchwork-Id: 186653 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2411:b0:101:2151:f287 with SMTP id m17csp516588dyi; Tue, 9 Jan 2024 17:27:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IG4Nhv/GIYvass25/QfF0v6dqSvbdnbQ6d5UfG8l6uwus1O5nZb9JTlK09UydZm2rw1sB+R X-Received: by 2002:a05:620a:c0c:b0:783:3167:472f with SMTP id l12-20020a05620a0c0c00b007833167472fmr315459qki.3.1704850037104; Tue, 09 Jan 2024 17:27:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704850037; cv=none; d=google.com; s=arc-20160816; b=uYSquPiu6wSKbjUN6PNiirrASVjyepi85/piMCljwkQShX+/R3uGPaUavLbQ8nMyf3 y0m8HEV6OUjDMRH2/Mlm6dj9JDNKGdEybzA/E3I9K0Q3KwBn8vav8DU4KqPg5MX3/1fZ WoBa8cNt1odKuqPt+GBCoMoeDrm+EOQqfkMRPX7rr30TDpDhZJ8QID1uCFZHge9dyZzx 16rjXVoDeDkhkVYVn8pmPYDBlWzrmHNcEBj8Z4jbr5Eil6k6E3ZYgbI2xqfZOmY5JtyJ 9ah4BQAZiiX6pf0SJgQyolQ9Vq8zOMhuo/Tf1TCdCgtk9OoUY2wRPCsnBeatqsucOzCc 5FLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:dkim-signature; bh=k5v8oUBjXEAVbu4/vqslVZCTCJ0ygzsKmcB0GfrIu20=; fh=ExIRAqK0r4MLDo8L0qVDAfI+y2Mj5hNT+y/Rxs411ro=; b=T0EZjIVMMv5S/7CxyE3756y26Je1jzN59KTKSbXgiFGkTSb0z5W7oREEZb6yFLHD/a x9scDXK+kZfHL+o2mlIil4SY73597cuLzzPYk3FmsADi21KdCG3UL7y/S1ZOHMpdjYr+ wY6BU+X0EgLVrV2i1QB4ScC1+pPZFZAf0Pqx8pYLSfP34XC9odbcpF4k8E8BvevFLC/p xqWibWOVx8hl401o1OAAK2BQ2Bmle8PhQIjGLPObC4VzdAsXNrRhqbxX4V3XUXfk8Awc Y5ye6Pe5eT2ssErC9kl53Yg5tqnD2X/7FqtBvdIDmTCm7N2BrQpUV4z0nk6LcoWsS3Ta ep+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="aK/Ml+5q"; spf=pass (google.com: domain of linux-kernel+bounces-21625-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21625-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id u5-20020a05620a0c4500b007830d5da0d0si3485985qki.608.2024.01.09.17.27.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jan 2024 17:27:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-21625-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="aK/Ml+5q"; spf=pass (google.com: domain of linux-kernel+bounces-21625-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-21625-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D21001C24F44 for ; Wed, 10 Jan 2024 01:27:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 290D623B1; Wed, 10 Jan 2024 01:26:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="aK/Ml+5q" Received: from mail-io1-f74.google.com (mail-io1-f74.google.com [209.85.166.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49F4E1373 for ; Wed, 10 Jan 2024 01:26:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--kevinloughlin.bounces.google.com Received: by mail-io1-f74.google.com with SMTP id ca18e2360f4ac-7bee30dea21so125749039f.2 for ; Tue, 09 Jan 2024 17:26:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1704850012; x=1705454812; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=k5v8oUBjXEAVbu4/vqslVZCTCJ0ygzsKmcB0GfrIu20=; b=aK/Ml+5qs+I/P7gpDjm67YtaK5K+pO5Y2PVDUzP0QcpHDeuK1reVt+hoCUOGIxs/jh 1aYDk1KlzqzMsV7cLot3cNJv8knvYSyx2rWarBTVbWX37FVdkpLGexKAY5r6G8qiWAFq iYp8TopyJLjQYey7bapO5F+dZ2GcfE+euDgVRoFdEir1NuIkYRJ6MuhSVavUk/03RIso 9d5nSrS7rajEWtdaLAb0A+S1pIJqCvhfHE9IUtKQ5wl22fvlKPJll+QnD9li+ti6U5SY Vr+mGwieVMMUJ9lgxmcwPEWSwJYMLpI73JD1lq17T2qYoEXvU4alSUvokKFWDmEsfBxU cULw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704850012; x=1705454812; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=k5v8oUBjXEAVbu4/vqslVZCTCJ0ygzsKmcB0GfrIu20=; b=qvS5v6+CXBpYtPVD8V7sIPR3k0eybig4NQhTVAhqPpF2t8q2bmbe2PXLMaO0InMuVk VcUJd+EL8NLlswEnw7zmjn2Uj6OSe8Y9tIgC8lnE/EycXS1yyfMaTsVDxeRuvp6647uK hQHaOv34lA6LjjX3LIuyK15xAi316e4VTOa75ayYcjRC+s5rlw8gS99RnHVXYgQnWxej OWYJDDOWOw64RnXjFBN6RcHzWpjPrHhKkdd2H37pnUIg8jPnz2DzuES8H4P+9sDa6fK4 q6lYrpBKFx9Jgr/qqcjM4Wp+iQaF28WEzzYiJ9JTAAgSdfb+/JU9QCiHBhLDoyXOSphM wHjA== X-Gm-Message-State: AOJu0YyHS75K+F8HexcjoEuxXThyO2B0/bAQZpp0cgH/3u+WXmt9F7Is Wn63QmMFl3bmfkUXz+5n+ZVz8IA14ARCRGHsB6YCfv8mlv4= X-Received: from loughlin00.c.googlers.com ([fda3:e722:ac3:cc00:2b:ff92:c0a8:1b6f]) (user=kevinloughlin job=sendgmr) by 2002:a05:6638:2645:b0:46e:308a:832 with SMTP id n5-20020a056638264500b0046e308a0832mr15553jat.3.1704850012536; Tue, 09 Jan 2024 17:26:52 -0800 (PST) Date: Wed, 10 Jan 2024 01:26:39 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.43.0.275.g3460e3d667-goog Message-ID: <20240110012640.1335694-1-kevinloughlin@google.com> Subject: [RFC PATCH] x86/sev: x86/sev: enforce PC-relative addressing in clang From: Kevin Loughlin To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , "GitAuthor: Kevin Loughlin" , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Ze Gao , Josh Poimboeuf , Pengfei Xu , Brijesh Singh , Michael Roth , Ashish Kalra , "Kirill A. Shutemov" , Tom Lendacky , Joerg Roedel , linux-kernel@vger.kernel.org, llvm@lists.linux.dev, linux-coco@lists.linux.dev Cc: Adam Dunlap , Peter Gonda , Jacob Xu , Sidharth Telang X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1787664832545530530 X-GMAIL-MSGID: 1787664832545530530 SEV/SME code can execute prior to page table fixups for kernel relocation. However, as with global variables accessed in __startup_64(), clang does not currently generate PC-relative accesses for SEV/SME global variables, causing certain flavors of SEV hosts and guests to crash. While an attempt was made to force PC-relative addressing for certain global SEV/SME variables via inline assembly (see snp_cpuid_get_table() for example), PC-relative addressing must be pervasively-enforced for SEV/SME global variables that can be accessed prior to page table fixups. To avoid the error-prone approach of manually referencing each SEV/SME global variable via a general form of snp_cpuid_get_table(), it is preferable to use compiler flags for position-independent code (ex: `-fPIE`) that result in PC-relative accesses. While architecture- specific code for Linux can be pervasively compiled as position- independent on select architectures (ex: RISC-V), this is not currently the case for x86-64 and would require extensive changes (see "[PATCH RFC 00/43] x86/pie: Make kernel image's virtual address flexible" for example). Fortunately, the relevant files for SEV/SME code do indeed support position-independent clang compilation, so we can use this technique to ensure all global variables in these files are accessed via PC-relative addressing. Unlike clang, gcc does not currently allow `-fPIE` in conjunction with `mcmodel=kernel`. Thus, to preserve existing gcc behavior, this patch does not remove the (otherwise unnecessary) inline assembly that already enforces PC-relative addressing for select SEV/SME globals (mentioned above). If gcc supports these joint options in the future, we can remove such inline assembly and also apply this patch to gcc builds. Tested by successful boot of SEV-SNP guest built with clang, alongside Adam Dunlap's necessary "[PATCH v2] x86/asm: Force native_apic_mem_read to use mov". Fixes: 95d33bfaa3e1 ("x86/sev: Register GHCB memory when SEV-SNP is active") Fixes: ee0bfa08a345 ("x86/compressed/64: Add support for SEV-SNP CPUID table in #VC handlers") Fixes: 1cd9c22fee3a ("x86/mm/encrypt: Move page table helpers into separate translation unit") Fixes: c9f09539e16e ("x86/head/64: Check SEV encryption before switching to kernel page-table") Fixes: b577f542f93c ("x86/coco: Add API to handle encryption mask") Tested-by: Kevin Loughlin Signed-off-by: Kevin Loughlin --- arch/x86/coco/Makefile | 10 ++++++++++ arch/x86/kernel/Makefile | 10 ++++++++++ arch/x86/mm/Makefile | 13 +++++++++++++ 3 files changed, 33 insertions(+) diff --git a/arch/x86/coco/Makefile b/arch/x86/coco/Makefile index c816acf78b6a..286950596ee9 100644 --- a/arch/x86/coco/Makefile +++ b/arch/x86/coco/Makefile @@ -5,4 +5,14 @@ CFLAGS_core.o += -fno-stack-protector obj-y += core.o +# clang allows -fPIE with mcmodel=kernel; gcc currently does not. +ifdef CONFIG_CC_IS_CLANG +# Enforce PC-relative addressing for SEV/SME global variables. +CFLAGS_core.o += -fPIE +# Disable relocation relaxation in case the link is not PIE. +CFLAGS_core.o += $(call cc-option,-Wa$(comma)-mrelax-relocations=no) +# Avoid unnecessary GOT overhead in PC-relative addressing. +CFLAGS_core.o += -include $(srctree)/include/linux/hidden.h +endif + obj-$(CONFIG_INTEL_TDX_GUEST) += tdx/ diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 0000325ab98f..bf85f9de89e9 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -7,6 +7,16 @@ extra-y += vmlinux.lds CPPFLAGS_vmlinux.lds += -U$(UTS_MACHINE) +# clang allows -fPIE with mcmodel=kernel; gcc currently does not. +ifdef CONFIG_CC_IS_CLANG +# Enforce PC-relative addressing for SEV/SME global variables. +CFLAGS_sev.o += -fPIE +# Disable relocation relaxation in case the link is not PIE. +CFLAGS_sev.o += $(call cc-option,-Wa$(comma)-mrelax-relocations=no) +# Avoid unnecessary GOT overhead in PC-relative addressing. +CFLAGS_sev.o += -include $(srctree)/include/linux/hidden.h +endif + ifdef CONFIG_FUNCTION_TRACER # Do not profile debug and lowlevel utilities CFLAGS_REMOVE_tsc.o = -pg diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index c80febc44cd2..7abf20a94451 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -17,6 +17,19 @@ KCSAN_SANITIZE := n # Avoid recursion by not calling KMSAN hooks for CEA code. KMSAN_SANITIZE_cpu_entry_area.o := n +# clang allows -fPIE with mcmodel=kernel; gcc currently does not. +ifdef CONFIG_CC_IS_CLANG +# Enforce PC-relative addressing for SEV/SME global variables. +CFLAGS_mem_encrypt_amd.o += -fPIE +CFLAGS_mem_encrypt_identity.o += -fPIE +# Disable relocation relaxation in case the link is not PIE. +CFLAGS_mem_encrypt_amd.o += $(call cc-option,-Wa$(comma)-mrelax-relocations=no) +CFLAGS_mem_encrypt_identity.o += $(call cc-option,-Wa$(comma)-mrelax-relocations=no) +# Avoid unnecessary GOT overhead in PC-relative addressing. +CFLAGS_mem_encrypt_amd.o += -include $(srctree)/include/linux/hidden.h +CFLAGS_mem_encrypt_identity.o += -include $(srctree)/include/linux/hidden.h +endif + ifdef CONFIG_FUNCTION_TRACER CFLAGS_REMOVE_mem_encrypt.o = -pg CFLAGS_REMOVE_mem_encrypt_amd.o = -pg